# How to integrate 21risk MCP with Mastra AI ```json { "title": "How to integrate 21risk MCP with Mastra AI", "toolkit": "21risk", "toolkit_slug": "_21risk", "framework": "Mastra AI", "framework_slug": "mastra-ai", "url": "https://composio.dev/toolkits/_21risk/framework/mastra-ai", "markdown_url": "https://composio.dev/toolkits/_21risk/framework/mastra-ai.md", "updated_at": "2026-05-12T09:59:46.287Z" } ``` ## Introduction This guide walks you through connecting 21risk to Mastra AI using the Composio tool router. By the end, you'll have a working 21risk agent that can download audit reports for last quarter, list all sites with open compliance issues, fetch monthly risk data for top properties through natural language commands. This guide will help you understand how to give your Mastra AI agent real control over a 21risk account through Composio's 21risk MCP server. Before we dive in, let's take a quick look at the key ideas and tools involved. ## Also integrate 21risk with - [OpenAI Agents SDK](https://composio.dev/toolkits/_21risk/framework/open-ai-agents-sdk) - [Claude Agent SDK](https://composio.dev/toolkits/_21risk/framework/claude-agents-sdk) - [Claude Code](https://composio.dev/toolkits/_21risk/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/_21risk/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/_21risk/framework/codex) - [OpenClaw](https://composio.dev/toolkits/_21risk/framework/openclaw) - [Hermes](https://composio.dev/toolkits/_21risk/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/_21risk/framework/cli) - [Google ADK](https://composio.dev/toolkits/_21risk/framework/google-adk) - [LangChain](https://composio.dev/toolkits/_21risk/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/_21risk/framework/ai-sdk) - [LlamaIndex](https://composio.dev/toolkits/_21risk/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/_21risk/framework/crew-ai) ## TL;DR Here's what you'll learn: - Set up your environment so Mastra, OpenAI, and Composio work together - Create a Tool Router session in Composio that exposes 21risk tools - Connect Mastra's MCP client to the Composio generated MCP URL - Fetch 21risk tool definitions and attach them as a toolset - Build a Mastra agent that can reason, call tools, and return structured results - Run an interactive CLI where you can chat with your 21risk agent ## What is Mastra AI? Mastra AI is a TypeScript framework for building AI agents with tool support. It provides a clean API for creating agents that can use external services through MCP. Key features include: - MCP Client: Built-in support for Model Context Protocol servers - Toolsets: Organize tools into logical groups - Step Callbacks: Monitor and debug agent execution - OpenAI Integration: Works with OpenAI models via @ai-sdk/openai ## What is the 21risk MCP server, and what's possible with it? The 21risk MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your 21risk account. It provides structured and secure access to your checklists, audits, compliance data, and risk models, so your agent can retrieve reports, analyze compliance status, and streamline audit management on your behalf. - Automated compliance insights and analytics: Instantly fetch compliance data for sites, categories, or specific questions to support analytics and reporting needs. - Audit report management: Retrieve draft, published, or scheduled audit reports, enabling your agent to monitor progress or summarize findings. - Risk model and category exploration: Let your agent list and filter available risk models and categories to assist with compliance checks and risk assessments. - Monthly item tracking and analysis: Query detailed fact tables of items per month for granular, time-based risk or compliance monitoring. - Site, organization, and property retrieval: Automatically list sites, organizations, and property details, helping you organize and cross-reference risk and compliance data efficiently. ## Supported Tools | Tool slug | Name | Description | |---|---|---| | `_21RISK_GET_COMPLIANCE` | Get Compliance | Tool to retrieve compliance data for sites, categories, or questions. Use when you need OData-based compliance data for analytics or reporting. | | `_21RISK_GET_ITEMS` | Get Items (BETA) | Tool to retrieve items (BETA) from the 21RISK OData API. Use when you need a filtered and paged list of items for analytics and reporting. Example: GET_ITEMS($filter="Item Cost gt 100", $top=50). | | `_21RISK_GET_ITEMS_PER_MONTH` | Get Items Per Month | Tool to retrieve fact table data for ItemsPerMonth, one row per question per site per month. Use when querying monthly item data with OData parameters ($filter, $top, $skip, $select, maxPageSizeInMb). | | `_21RISK_GET_ORGANIZATIONS` | Get Organizations | Tool to retrieve organizations from the 21RISK OData API. Use when you need to list, filter, or paginate organizations via OData parameters after authentication is confirmed. | | `_21RISK_GET_PROPERTIES` | Get Properties | Tool to fetch a list of properties related to sites, including COPE information and other relevant data. Use when you need property insurance details via OData API after authentication. | | `_21RISK_GET_REPORTS` | Get Reports | Tool to retrieve audit reports, including draft, published, and scheduled reports. Use when you need a paginated list of reports with optional OData filtering. | | `_21RISK_GET_RISKMODEL_CATEGORIES` | Get RiskModel Categories | Tool to retrieve risk model categories for grouping questions and compliance checks. Use when you need to filter, select, or paginate risk model categories via OData parameters ($filter, $select, $orderby, $top, $skip, $count). | | `_21RISK_GET_RISK_MODELS` | Get Risk Models | Tool to retrieve risk models used for audits and compliance. Use when you need to list available risk models with optional OData queries. | ## Supported Triggers None listed. ## Creating MCP Server - Stand-alone vs Composio SDK The 21risk MCP server is an implementation of the Model Context Protocol that connects your AI agent to 21risk. It provides structured and secure access so your agent can perform 21risk operations on your behalf through a secure, permission-based interface. With Composio's managed implementation, you don't have to create your own developer app. For production, if you're building an end product, we recommend using your own credentials. The managed server helps you prototype fast and go from 0-1 faster. ## Step-by-step Guide ### 1. Prerequisites Before starting, make sure you have: - Node.js 18 or higher - A Composio account with an active API key - An OpenAI API key - Basic familiarity with TypeScript ### 1. Getting API Keys for OpenAI and Composio OpenAI API Key - Go to the [OpenAI dashboard](https://platform.openai.com/settings/organization/api-keys) and create an API key. - You need credits or a connected billing setup to use the models. - Store the key somewhere safe. Composio API Key - Log in to the [Composio dashboard](https://dashboard.composio.dev?utm_source=toolkits&utm_medium=framework_docs). - Go to Settings and copy your API key. - This key lets your Mastra agent talk to Composio and reach 21risk through MCP. ### 2. Install dependencies Install the required packages. What's happening: - @composio/core is the Composio SDK for creating MCP sessions - @mastra/core provides the Agent class - @mastra/mcp is Mastra's MCP client - @ai-sdk/openai is the model wrapper for OpenAI - dotenv loads environment variables from .env ```bash npm install @composio/core @mastra/core @mastra/mcp @ai-sdk/openai dotenv ``` ### 3. Set up environment variables Create a .env file in your project root. What's happening: - COMPOSIO_API_KEY authenticates your requests to Composio - COMPOSIO_USER_ID tells Composio which user this session belongs to - OPENAI_API_KEY lets the Mastra agent call OpenAI models ```bash COMPOSIO_API_KEY=your_composio_api_key_here COMPOSIO_USER_ID=your_user_id_here OPENAI_API_KEY=your_openai_api_key_here ``` ### 4. Import libraries and validate environment What's happening: - dotenv/config auto loads your .env so process.env.* is available - openai gives you a Mastra compatible model wrapper - Agent is the Mastra agent that will call tools and produce answers - MCPClient connects Mastra to your Composio MCP server - Composio is used to create a Tool Router session ```typescript import "dotenv/config"; import { openai } from "@ai-sdk/openai"; import { Agent } from "@mastra/core/agent"; import { MCPClient } from "@mastra/mcp"; import { Composio } from "@composio/core"; import * as readline from "readline"; import type { AiMessageType } from "@mastra/core/agent"; const openaiAPIKey = process.env.OPENAI_API_KEY; const composioAPIKey = process.env.COMPOSIO_API_KEY; const composioUserID = process.env.COMPOSIO_USER_ID; if (!openaiAPIKey) throw new Error("OPENAI_API_KEY is not set"); if (!composioAPIKey) throw new Error("COMPOSIO_API_KEY is not set"); if (!composioUserID) throw new Error("COMPOSIO_USER_ID is not set"); const composio = new Composio({ apiKey: composioAPIKey as string, }); ``` ### 5. Create a Tool Router session for 21risk What's happening: - create spins up a short-lived MCP HTTP endpoint for this user - The toolkits array contains "_21risk" for 21risk access - session.mcp.url is the MCP URL that Mastra's MCPClient will connect to ```typescript async function main() { const session = await composio.create( composioUserID as string, { toolkits: ["_21risk"], }, ); const composioMCPUrl = session.mcp.url; console.log(" 21risk MCP URL:", composioMCPUrl); ``` ### 6. Configure Mastra MCP client and fetch tools What's happening: - MCPClient takes an id for this client and a list of MCP servers - The headers property includes the x-api-key for authentication - getTools fetches the tool definitions exposed by the 21risk toolkit ```typescript const mcpClient = new MCPClient({ id: composioUserID as string, servers: { nasdaq: { url: new URL(composioMCPUrl), requestInit: { headers: session.mcp.headers, }, }, }, timeout: 30_000, }); console.log("Fetching MCP tools from Composio..."); const composioTools = await mcpClient.getTools(); console.log("Number of tools:", Object.keys(composioTools).length); ``` ### 7. Create the Mastra agent What's happening: - Agent is the core Mastra agent - name is just an identifier for logging and debugging - instructions guide the agent to use tools instead of only answering in natural language - model uses openai("gpt-5") to configure the underlying LLM ```typescript const agent = new Agent({ name: "_21risk-mastra-agent", instructions: "You are an AI agent with 21risk tools via Composio.", model: "openai/gpt-5", }); ``` ### 8. Set up interactive chat interface What's happening: - messages keeps the full conversation history in Mastra's expected format - agent.generate runs the agent with conversation history and 21risk toolsets - maxSteps limits how many tool calls the agent can take in a single run - onStepFinish is a hook that prints intermediate steps for debugging ```typescript let messages: AiMessageType[] = []; console.log("Chat started! Type 'exit' or 'quit' to end.\n"); const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: "> ", }); rl.prompt(); rl.on("line", async (userInput: string) => { const trimmedInput = userInput.trim(); if (["exit", "quit", "bye"].includes(trimmedInput.toLowerCase())) { console.log("\nGoodbye!"); rl.close(); process.exit(0); } if (!trimmedInput) { rl.prompt(); return; } messages.push({ id: crypto.randomUUID(), role: "user", content: trimmedInput, }); console.log("\nAgent is thinking...\n"); try { const response = await agent.generate(messages, { toolsets: { _21risk: composioTools, }, maxSteps: 8, }); const { text } = response; if (text && text.trim().length > 0) { console.log(`Agent: ${text}\n`); messages.push({ id: crypto.randomUUID(), role: "assistant", content: text, }); } } catch (error) { console.error("\nError:", error); } rl.prompt(); }); rl.on("close", async () => { console.log("\nSession ended."); await mcpClient.disconnect(); process.exit(0); }); } main().catch((err) => { console.error("Fatal error:", err); process.exit(1); }); ``` ## Complete Code ```typescript import "dotenv/config"; import { openai } from "@ai-sdk/openai"; import { Agent } from "@mastra/core/agent"; import { MCPClient } from "@mastra/mcp"; import { Composio } from "@composio/core"; import * as readline from "readline"; import type { AiMessageType } from "@mastra/core/agent"; const openaiAPIKey = process.env.OPENAI_API_KEY; const composioAPIKey = process.env.COMPOSIO_API_KEY; const composioUserID = process.env.COMPOSIO_USER_ID; if (!openaiAPIKey) throw new Error("OPENAI_API_KEY is not set"); if (!composioAPIKey) throw new Error("COMPOSIO_API_KEY is not set"); if (!composioUserID) throw new Error("COMPOSIO_USER_ID is not set"); const composio = new Composio({ apiKey: composioAPIKey as string }); async function main() { const session = await composio.create(composioUserID as string, { toolkits: ["_21risk"], }); const composioMCPUrl = session.mcp.url; const mcpClient = new MCPClient({ id: composioUserID as string, servers: { _21risk: { url: new URL(composioMCPUrl), requestInit: { headers: session.mcp.headers, }, }, }, timeout: 30_000, }); const composioTools = await mcpClient.getTools(); const agent = new Agent({ name: "_21risk-mastra-agent", instructions: "You are an AI agent with 21risk tools via Composio.", model: "openai/gpt-5", }); let messages: AiMessageType[] = []; const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: "> ", }); rl.prompt(); rl.on("line", async (input: string) => { const trimmed = input.trim(); if (["exit", "quit"].includes(trimmed.toLowerCase())) { rl.close(); return; } messages.push({ id: crypto.randomUUID(), role: "user", content: trimmed }); const { text } = await agent.generate(messages, { toolsets: { _21risk: composioTools }, maxSteps: 8, }); if (text) { console.log(`Agent: ${text}\n`); messages.push({ id: crypto.randomUUID(), role: "assistant", content: text }); } rl.prompt(); }); rl.on("close", async () => { await mcpClient.disconnect(); process.exit(0); }); } main(); ``` ## Conclusion You've built a Mastra AI agent that can interact with 21risk through Composio's Tool Router. You can extend this further by: - Adding other toolkits like Gmail, Slack, or GitHub - Building a web-based chat interface around this agent - Using multiple MCP endpoints to enable cross-app workflows ## How to build 21risk MCP Agent with another framework - [OpenAI Agents SDK](https://composio.dev/toolkits/_21risk/framework/open-ai-agents-sdk) - [Claude Agent SDK](https://composio.dev/toolkits/_21risk/framework/claude-agents-sdk) - [Claude Code](https://composio.dev/toolkits/_21risk/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/_21risk/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/_21risk/framework/codex) - [OpenClaw](https://composio.dev/toolkits/_21risk/framework/openclaw) - [Hermes](https://composio.dev/toolkits/_21risk/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/_21risk/framework/cli) - [Google ADK](https://composio.dev/toolkits/_21risk/framework/google-adk) - [LangChain](https://composio.dev/toolkits/_21risk/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/_21risk/framework/ai-sdk) - [LlamaIndex](https://composio.dev/toolkits/_21risk/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/_21risk/framework/crew-ai) ## Related Toolkits - [Excel](https://composio.dev/toolkits/excel) - Microsoft Excel is a robust spreadsheet application for organizing, analyzing, and visualizing data. It's the go-to tool for calculations, reporting, and flexible data management. - [Abstract](https://composio.dev/toolkits/abstract) - Abstract provides a suite of APIs for automating data validation and enrichment tasks. It helps developers streamline workflows and ensure data quality with minimal effort. - [Addressfinder](https://composio.dev/toolkits/addressfinder) - Addressfinder is a data quality platform for verifying addresses, emails, and phone numbers. It helps you ensure accurate customer and contact data every time. - [Agentql](https://composio.dev/toolkits/agentql) - Agentql is a toolkit that connects AI agents to the web using a specialized query language. It enables structured web interaction and data extraction for smarter automations. - [Agenty](https://composio.dev/toolkits/agenty) - Agenty is a web scraping and automation platform for extracting data and automating browser tasks—no coding needed. It streamlines data collection, monitoring, and repetitive online actions. - [Ambee](https://composio.dev/toolkits/ambee) - Ambee is an environmental data platform providing real-time, hyperlocal APIs for air quality, weather, and pollen. Get precise environmental insights to power smarter decisions in your apps and workflows. - [Ambient weather](https://composio.dev/toolkits/ambient_weather) - Ambient Weather is a platform for personal weather stations with a robust API for accessing local, real-time, and historical weather data. Get detailed environmental insights directly from your own sensors for smarter apps and automations. - [Anonyflow](https://composio.dev/toolkits/anonyflow) - Anonyflow is a service for encryption-based data anonymization and secure data sharing. It helps organizations meet GDPR, CCPA, and HIPAA data privacy compliance requirements. - [Api ninjas](https://composio.dev/toolkits/api_ninjas) - Api ninjas offers 120+ public APIs spanning categories like weather, finance, sports, and more. Developers use it to supercharge apps with real-time data and actionable endpoints. - [Api sports](https://composio.dev/toolkits/api_sports) - Api sports is a comprehensive sports data platform covering 2,000+ competitions with live scores and 15+ years of stats. Instantly access up-to-date sports information for analysis, apps, or chatbots. - [Apify](https://composio.dev/toolkits/apify) - Apify is a cloud platform for building, deploying, and managing web scraping and automation tools called Actors. It lets you automate data extraction and workflow tasks at scale—no infrastructure headaches. - [Autom](https://composio.dev/toolkits/autom) - Autom is a lightning-fast search engine results data platform for Google, Bing, and Brave. Developers use it to access fresh, low-latency SERP data on demand. - [Beaconchain](https://composio.dev/toolkits/beaconchain) - Beaconchain is a real-time analytics platform for Ethereum 2.0's Beacon Chain. It provides detailed insights into validators, blocks, and overall network performance. - [Big data cloud](https://composio.dev/toolkits/big_data_cloud) - BigDataCloud provides APIs for geolocation, reverse geocoding, and address validation. Instantly access reliable location intelligence to enhance your applications and workflows. - [Bigpicture io](https://composio.dev/toolkits/bigpicture_io) - BigPicture.io offers APIs for accessing detailed company and profile data. Instantly enrich your applications with up-to-date insights on 20M+ businesses. - [Bitquery](https://composio.dev/toolkits/bitquery) - Bitquery is a blockchain data platform offering indexed, real-time, and historical data from 40+ blockchains via GraphQL APIs. Get unified, reliable access to complex on-chain data for analytics, trading, and research. - [Brightdata](https://composio.dev/toolkits/brightdata) - Brightdata is a leading web data platform offering advanced scraping, SERP APIs, and anti-bot tools. It lets you collect public web data at scale, bypassing blocks and friction. - [Builtwith](https://composio.dev/toolkits/builtwith) - BuiltWith is a web technology profiler that uncovers the technologies powering any website. Gain actionable insights into analytics, hosting, and content management stacks for smarter research and lead generation. - [Byteforms](https://composio.dev/toolkits/byteforms) - Byteforms is an all-in-one platform for creating forms, managing submissions, and integrating data. It streamlines workflows by centralizing form data collection and automation. - [Cabinpanda](https://composio.dev/toolkits/cabinpanda) - Cabinpanda is a data collection platform for building and managing online forms. It helps streamline how you gather, organize, and analyze responses. ## Frequently Asked Questions ### What are the differences in Tool Router MCP and 21risk MCP? With a standalone 21risk MCP server, the agents and LLMs can only access a fixed set of 21risk tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from 21risk and many other apps based on the task at hand, all through a single MCP endpoint. ### Can I use Tool Router MCP with Mastra AI? Yes, you can. Mastra AI fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right 21risk tools. ### Can I manage the permissions and scopes for 21risk while using Tool Router? Yes, absolutely. You can configure which 21risk scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do. ### How safe is my data with Composio Tool Router? All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your 21risk data and credentials are handled as safely as possible. --- [See all toolkits](https://composio.dev/toolkits) · [Composio docs](https://docs.composio.dev/llms.txt)